💡 Big News! 🧙 AI Wizard - Instant Page Insights is Here : Explore Smarter, Friendlier Solutions Just for You →
Linux
Web-Server
Nginx
Nginx Security

NGINX Security Configuration Guide

1. Introduction

NGINX is a powerful web server that also functions as a reverse proxy, load balancer, and HTTP cache. Securing NGINX is crucial to protect your web applications from various threats. This guide covers essential NGINX security configurations.

2. Rate Limiting

2.1. Introduction to Rate Limiting

Rate limiting controls the number of requests a user can make to the server in a given time frame. This helps protect against denial-of-service (DoS) attacks and reduces the load on the server.

2.2. Configuring Rate Limiting

  1. Define the Rate Limiting Zone:

    Add the following to your NGINX configuration file (usually located at /etc/nginx/nginx.conf or /etc/nginx/conf.d/default.conf):

    http {
    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
}
    • $binary_remote_addr: The variable representing the client’s IP address.
    • mylimit:10m: Defines a zone named mylimit that can hold state information for about 160,000 IP addresses.
    • rate=10r/s: Limits each IP address to 10 requests per second.

  2. Apply the Rate Limiting:

    Apply the rate limit in your server or location block:

    server {
    location /login/ {
        limit_req zone=mylimit burst=20 nodelay;
    }
}
    • burst=20: Allows a burst of 20 requests above the limit.
    • nodelay: Processes requests immediately without delay.

2.3. Testing Rate Limiting

After configuring rate limiting, test it by sending multiple requests to the server using tools like curl or ab (Apache Benchmark).

ab -n 100 -c 10 http://yourdomain.com/login/

3. Denying Access to Specific IPs or Subnets

3.1. Blocking Specific IP Addresses

To block specific IP addresses, use the deny directive:

server {
    location / {
        deny 192.168.1.100;
        allow all;
    }
}
  • deny 192.168.1.100;: Denies access to the specified IP address.
  • allow all;: Allows access to all other IP addresses.

3.2. Blocking an Entire Subnet

To block an entire subnet, specify the subnet in CIDR notation:

server {
    location / {
        deny 192.168.1.0/24;
        allow all;
    }
}

3.3. Allowing Access to Specific IPs

To allow only specific IPs and deny all others:

server {
    location / {
        allow 192.168.1.100;
        deny all;
    }
}

4. Allowing Remote IPs in NGINX Logs

4.1. Capturing the Real IP Address

If your NGINX server is behind a reverse proxy or load balancer, you may need to capture the client's real IP address.

  1. Install the Real IP Module:

    Ensure that the ngx_http_realip_module is installed and enabled.

  2. Configure NGINX to Capture the Real IP:

    http {
    set_real_ip_from 192.168.1.0/24;  # Replace with your proxy's IP range
    real_ip_header X-Forwarded-For;
}
    • set_real_ip_from: Specifies the trusted proxy or load balancer.
    • real_ip_header: Indicates the header that contains the real IP.

4.2. Logging the Real IP

Update the NGINX log format to include the real IP address:

http {
    log_format main '$remote_addr - $realip_remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log /var/log/nginx/access.log main;
}

5. Implementing HTTP Security Headers

5.1. Content Security Policy (CSP)

CSP helps prevent cross-site scripting (XSS) attacks by restricting the sources from which content can be loaded.

server {
    location / {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://apis.google.com";
    }
}

5.2. X-Frame-Options

The X-Frame-Options header protects against clickjacking attacks by preventing your site from being embedded in a frame.

server {
    location / {
        add_header X-Frame-Options "SAMEORIGIN";
    }
}

5.3. X-Content-Type-Options

This header prevents browsers from MIME-sniffing a response away from the declared content-type.

server {
    location / {
        add_header X-Content-Type-Options "nosniff";
    }
}

5.4. HSTS (HTTP Strict Transport Security)

HSTS forces clients to communicate over HTTPS only, even if they attempt to access your site via HTTP.

server {
    listen 443 ssl;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

6. Protecting Against DDoS Attacks

6.1. Using Limit Connections

Limit the number of connections allowed from a single IP address.

  1. Define the Connection Limiting Zone:

    http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;
}

  2. Apply the Connection Limit:

    server {
    location / {
        limit_conn addr 10;
    }
}
    • limit_conn addr 10;: Limits each IP address to 10 concurrent connections.

7. Enforcing SSL/TLS Security

7.1. Redirecting HTTP to HTTPS

Force all traffic to use HTTPS:

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

This streamlined guide covers the essentials for basic NGINX security, focusing on rate limiting, blocking specific IPs or subnets, and logging the real IPs of clients.

Nginx Sec AdwOff Server Header
🧙 AI Wizard - Instant Page Insights

Click the button below to analyze this page.
Get an AI-generated summary and key insights in seconds.
Powered by Perplexity AI!